A client is using Siteminder r12 and wants to integrate with Pulse Secure VPN.
(the idea is to have a siteminder authentication when opening a VPN client and benefit from SSO to access applications)
Anyone has experience with this setup or has information ?
Pulse Secure VPN is client application software, while siteminder uses web browser plus cookie support.
This integration is definitely not something out of box.
There are two places to look for any existing known 3rd party integration solutions.
CA Global Delivery Packaged Work Product Download Index - CA Technologies
Saas validation program:
CA Single Sign-On Security SaaS Validation Program Runbook Library
I do not see either one mentioning Pulse Secure VPN, so this may not be a certified solution.
As my colleague Hongxu mentioned, I do not know if you could integrate the Pulse Secure VPN client directly, but I wonder if you meant the Pulse Secure Access SSL VPN appliance, which you can integrate with Siteminder, and then you may use the Secure Access portal (where you can launch the Pulse VPN client) to access applications protected with Siteminder. As per Juniper documentation:
The Junos Pulse Secure Access (SA) platform supports the Netegrity Siteminder authentication and authorization server along with other common authentication servers. By using a single sign-on SMESSION cookie, it also provides seamless access to all backend applications and servers protected by Siteminder authentication.OverviewAlong with authentication by Siteminder, SA also supports role mapping based on user attributes. In addition to LDAP and RADIUS, you can use Siteminder for retrieving user attributes that can be used in role mapping. When you authenticate SA users using a Netegrity Siteminder policy server, you can enable access to Siteminder protected resources without re-authenticating if authorized with the correct protection level. Additionally, you can re-authenticate users through the SA if they request resources above their current protection level. And you can enable users to sign into the policy server first and then access the SA without re-authenticating.
There is a guide covering this integration, although it is quite old: Here.
You could also request to Juniper if they have updated documentation, although as per the integration steps documented, it may be very similar to perform on current CA SSO/Siteminder releases (and also IVE releases).
I hope it helps.
Have used the client less SSL VPN with Juniper / Cisco and CA SSO using SAML. It's fairly straight forward with SAML 2.0 - no need for it to know about SMSESSION or anything else, just normal ol' SAML integration to the CA SSO IDP.
Then when users access it via their web browser, they can sign in with whatever you require or get SSO if already having a session. Added benefit as well is that once you sign into the VPN that way you don't necessarily have to again when going to an app (since you already established your SMSESSION during that log in to the VPN itself).
I'd imagine if you're going that (clientless SSL VPN) route it shouldn't be a problem. Just follow Juniper's SAML 2.0 setup docs for getting the VPN appliance configured.